Solaris2.6/openldap/nss_ldap/open_ldap

Hi,
Feedback to the list of getting Solaris2.6/openldap/nss_ldap/open_ldap running.
I am using ldap version 1.2.1. Berkeley DB version 2.7.7 (we tried 3.x and it
doesn't compile). and nss-ldap-149. We wanted to be able to use both ldap &
local accounts at the same time.
Download/Compile BerkeleyDB... I recommended version 2.7.7 standard compile and
install
Download/Compile OpenLDAP...
Compile openldap with the following lines...
env LIBS="-lpthread -lposix4" \
CPPFLAGS="-I/usr/local/BerkeleyDB/include" \
LDFLAGS="-L/usr/local/BerkeleyDB/lib" \
./configure --with-ldbm-api=db2 --enable-shared --enable-passwd
make depend
make
make install
Not sure if you need --enable-shared or --enable-passwd infact
Download and compile pam_ldap/nss_ldap modules from www.padl.com/ Nothing
special
here just follow installation instructions.
Now for the trickly bit... configure the /etc/ldap.conf and
/usr/local/etc/openldap/etc/slapd.conf files.
/etc/ldap.conf needs only
host 127.0.0.1
base dc=jpmorgan,dc=geneva,dc=ch
pam_password crypt
/usr/local/etc/openldap/etc/slapd.conf needs only
include /usr/local/etc/openldap/slapd.at.conf
include /usr/local/etc/openldap/slapd.oc.conf
schemacheck off
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
database ldbm
suffix "dc=jpmorgan,dc=geneva,dc=ch"
rootdn "cn=root,dc=jpmorgan,dc=geneva,dc=ch"
rootpw secret
directory /usr/local/var/openldap-ldbm
index cn,sn,uid
access to attrs=userpassword
by self write
by dn="cn=root,ou=people,dc=jpmorgan,dc=geneva,dc=ch" write
by * none
access to *
by self write
by dn="cn=root,ou=people,dc=jpmorgan,dc=geneva,dc=ch" write
access to * by * read
You need to add the following to /usr/local/etc/openldap/slapd.oc.conf (or I did
anyway, if someone knows
better please let me know).
objectclass shadowAccount
requires
uid
allows
userPassword,
shadowLastChange,
shadowMin,
shadowMax,
shadowWarning,
shadowInactive,
shadowExpire,
shadowFlag,
description
And now start the ldap daemon and add the entries..
Examples of commands to run to add/delete/search for/change password entries in
the above example...
ldapadd -D cn=root,dc=jpmorgan,dc=geneva,dc=ch -W < add.ldiff (see below for
contents)
ldapdelete -D cn=root,dc=jpmorgan,dc=geneva,dc=ch -w secret
ldapsearch -L -b "dc=jpmorgan,dc=geneva,dc=ch" "(objectclass=*)"
ldappasswd -b "dc=jpmorgan,dc=geneva,dc=ch"
"uid=ldap,ou=people,dc=jpmorgan,dc=geneva,dc=ch"
An example of the minimum five entries you would need to add for authentication
of a user and a group,
in this order.
dn: dc=jpmorgan,dc=geneva,dc=ch
description: jpmorgan
objectclass: organization
objectclass: top
dn: ou=People,dc=jpmorgan,dc=geneva,dc=ch
objectclass: organizationalUnit
objectclass: top
dn: ou=group,dc=jpmorgan,dc=geneva,dc=ch
objectclass: organizationalUnit
objectclass: top
dn: cn=users,ou=Group,dc=jpmorgan,dc=geneva,dc=ch
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 10
dn: uid=ldap,ou=People,dc=jpmorgan,dc=geneva,dc=ch
uid: ldap
cn: LDAP user
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}Y7GtTDeK
loginShell: /bin/ksh
uidnumber: 1000
gidnumber: 10
homeDirectory: /users/ldap
gecos: LDAP user
description: LDAP user
Then you need to edit /etc/pam.conf, mine looks like this.. we are just using
ldap for authentication of rlogin
users in this example. Beware the pam.conf in the nss_ldap directory doesn't
appear to work "out-of-the-box"
with Solaris 2.6.
login auth required /usr/lib/security/pam_unix.so.1
login auth required /usr/lib/security/pam_dial_auth.so.1
telnet auth required /usr/lib/security/pam_unix.so.1
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_ldap.so.1 <--------------- this
is the new line -----
rlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass <--- this
parameter is new also -----
dtlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
other auth required /usr/lib/security/pam_unix.so.1
login account required /usr/lib/security/pam_unix.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1
other account required /usr/lib/security/pam_unix.so.1
other session required /usr/lib/security/pam_unix.so.1
other password required /usr/lib/security/pam_unix.so.1
And change /etc/nsswitch.conf so that it references ldap, the two lines looking
like this..
passwd: files ldap
group: files ldap
And then you should be able to rlogin from another workstation referencing the
ldap server. I think I have
covered everything.
Good luck
Many Thanks to the users of this list which helped me to get here... time taken
approximately 1 week....
Mark
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan Chase & Co., its
subsidiaries and affiliates.